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Abstract. Arguably, tj-regular languages play an important role as a specifica- 
tion formalism in many approaches to systems monitoring via runtime verifica- 
tion. However, since their elements are infinite words, not every oj-regular lan- 
guage can sensibly be monitored at runtime when only a finite prefix of a word, 
modelling the observed system behaviour so far, is available. 
The monitorabUity of an uj-regular language, L, is thus a property that holds, if 
for any finite word u, observed so far, it is possible to add another finite word 
V, such that uv becomes a "finite witness" wrt. L; that is, for any infinite word 
w, we have that uvw G L, or for any infinite word w, we have that uvw 
L. This notion has been studied in the past by several authors, and it is known 
that the class of monitorable languages is strictly more expressive than, e.g., the 
commonly used class of so-called safety languages. But an exact categorisation of 
monitorable languages has, so far, been missing. Motivated by the use of linear- 
time temporal logic (LTL) in many approaches to runtime verification, this paper 
first determines the complexity of the monitorability problem when L is given 
by an LTL formula. Further, it then shows that this result, in fact, transfers to 
a;-regular languages in general, i.e., whether they are given by an LTL formula, a 
nondeterministic Biichi automaton, or even by an a;-regular expression. 



1 Introduction 

In a nutshell, the term runtime verification subsumes many techniques that are used 
for monitoring systems, i.e., for checking their execution as it is happening. Naturally, 
there exists a variety of different approaches to runtime verification. In this article, we 
will focus on those which are based on the theory of formal languages, where a so 
called monitor checks whether or not a consecutive sequence of observed system ac- 
tions belongs to a formally specified language. For example, if the language comprises 
all undesired system behaviours, then a positive outcome of this check would normally 
lead to the raising of an alarm by the monitor, whereas if the language describes a 
desired system behaviour, the monitor could be switched off. 

As a formalism to describe such languages, many runtime verification approaches 
(cf. 11719141211 ). use linear-time temporal logic (LTL ITSll ). whose formulae describe sets 
(languages) of infinite words (or, w-languages), meaning that the models of an LTL for- 
mula are infinitely long sequences of symbols. The rationale for using LTL to describe 
properties of systems is that many systems for which formal verification is required (at 
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runtime or off-line) are critical and/or reactive; that is, their failure would have catas- 
trophic impact on its users and/or the environment, and consequently one would like 
to make assertions about the entire lifespan of such systems, some of which are never 
switched off, unless they are physically broken and can be replaced in a controlled 
manner A typical requirement for such systems, that can also easily be formalised in 
LTL, would be "the system must never enter a bad state." Although the monitor would 
require an infinitely long observation to flag satisfaction of the property, it is always 
able to raise an alarm after finitely many observations, simply due to the fact that a 
violation of such a property can always be detected in the same instance as the system 
entering the bad state. Hence, if such a property, formalised as an LTL formula, is mon- 
itored, one would expect the monitor to only detect violations. Formal languages which 
describe properties of this form are therefore referred to as safety languages or safety 
properties, and they have in common that all sequences of actions that violate them are 
detectable after finitely many observations. Note that languages belonging to the com- 
plementary class of safety properties are known as the co-safety properties, implying 
that satisfaction (rather than violation) of any such type of property is always detectable 
by a monitor after finitely many observations, i.e., via a finite "witness." 

Since the languages definable by LTL formulae exceed the expressiveness of safety 
and co-safety languages, a natural question to ask, given an arbitrary LTL formula, is 
whether or not the given formula is monitorable at all. This is, arguably, an interesting 
question in its own right, and ideally, we would like to know the answer prior to any 
attempts of building a monitor, or starting a monitoring process based on an unmoni- 
torable language. Of course, what we then need is a more general notion of monitorabil- 
ity of an LTL formula: Intuitively, we say that the language given by an LTL formula is 
monitorable if, after any number of observed actions, the monitor is still able to detect 
the violation or satisfaction of the monitored property, and after at most finitely many 
additional observations. As an example of a non-monitorable, LTL-definable language 
consider a property such as "it is always the case that a request will eventually be an- 
swered," which is a so called liveness property. For this property no finite witnesses of 
violation or satisfaction exist, since any finite sequence of actions can be extended to 
satisfy this property. In order to know that some request is, indeed, never answered, a 
monitor would therefore require an infinite sequence of actions. In consequence, most 
examples of liveness properties that can be found in the literature violate the intuitive 
definition of monitorability given above. To determine whether or not an LTL formula 
specifies a liveness property is a PSpace-complete problem ||23]| . However, they are not 
the only types of properties, which can be formally specified in LTL that are not mon- 
itorable, and as this paper will show there exists no criterion that allows to answer the 
monitorability question for any given formula in a simple, syntactic manner 

Pnueli and Zaks |[T6l were the first to formalise a notion of monitorability, which 
matches the intuitive account given above: According to ITSl a formula is monitorable 
wrt. a finite sequence of actions, if that finite sequence can be extended to be a finite 
witness for violation or satisfaction of that formula. However, Pnueli and Zaks did not 
address the question of deciding monitorability for a given formula (and sequence). 
In 121 a slightly more general formalisation based on a 3-valued semantics for LTL 
is given, such that monitorability of an LTL formula becomes a property of only the 



formula. Moreover, Falcone et al. JS] have recently shown that the definition given in 
||2l is, indeed, a generalisation of the one given earlier in |fT6l . and termed it "classi- 
cal monitorability." In their paper, they have at first wrongly concluded — but later also 
corrected |6j| — that the class of monitorable languages, under classical monitorability, 
consists exactly of the obligation properties in the hierarchy of safety-progress prop- 
erties (cf. |fT3l), which is orthogonal to the safety-liveness classification. An obligation 
property, for example, is obtained by taking a positive Boolean combination of safety 
and co-safety properties. Despite their correction, Falcone et al. left the question re- 
garding the complexity of monitorability of an LTL formula (or w-regular language 
in general) open. Note that Q did imply a decision procedure based on the construc- 
tion and subsequent analysis of deterministic monitors for LTL formulae, but the given 
procedure requires 2ExpSpace (see Sec.|3ll. 

One of the main contributions of this paper is a proof that this upper bound is not 
optimal, in that monitorability of an LTL formula can be decided in PSpace. In fact, it 
will show that the monitorability problem of LTL, i.e., the decision problem that asks 
"is a given LTL formula monitorable?" is PSpace-complete, and that this result even 
transfers to w-regular languages in general — regardless as to whether they are given by 
an LTL formula, a nondeterministic Biichi automaton, or an cj-regular expression. As 
such it is also proof that no simple syntactic categorisation of monitorability of an LTL 
formula (or w-regular language), which could be checked in polynomial time, exists. On 
the other hand, the result implies that checking monitorability is no more complex than 
checking safety or co-safety, which have often served as the "monitorable fragment" in 
the past (cf. I18I8I9I ). 

As a special case the paper also considers the monitorability problem of Buchi au- 
tomata, where the automaton in question is deterministic, and shows that this restricted 
form of the problem is solvable in polynomial time. Finally, it shows that the moni- 
torable w-languages are closed under the usual Boolean connectives; that is, they are 
closed under finitary application of union, intersection, and complementation. 

Outline. The remainder is structured as follows. The next section recalls some prelim- 
inary notions and notations used throughout this paper. Sec. |3] gives a formal account 
of monitorability of an w-language and phrases the corresponding decision problem(s). 
Sec.|4]puts two well-known classifications of cj-regular languages, namely the classifi- 
cation in terms of the safety-progress hierarchy (cf. ifTSl ) as well as a topological view, 
in relation with the notion of monitorability. The main contribution of this paper, which 
makes use of these classifications, can be found in sections |5] and |6] and as such they 
are also the most technical sections, in that they contain the complexity analyses and 
proofs of the monitorability problems of w-regular languages. Sec.|2]details on closure 
properties of monitorable w-langues, and Sec.[8]concludes. 

2 Basic notions and notation 

We encode information about a system's state in terms of a finite set of atomic propo- 
sitions, AP, and define an action to be an element of 2^^. In a sense, an action can 
be seen as a global state that is determined by the individual atomic sub-states encoded 



by elements from AP. We will therefore use the terms action and state synonymously. 
The system behaviour which the monitor observes then consists of a sequence of ac- 
tions. Therefore, we define an alphabet, S := 2^^, and treat consecutive sequences 
of actions as words over U. As is common, we define S* as the set of all finite words 
over U, including the empty word, and Z"" to be the set of infinite words obtained by 
concatenating an infinite sequence of nonempty words over U. Infinite words are of the 
form w = wqWi . . . G S'^ and are usually abbreviated by w, w', and so on, whereas 
finite words are of the form w = . . . m„ £ S* and are usually abbreviated by u, u', v, 
and so on. Let w G Z'", then denotes the infinite suffix WiWi+i . . ., whereas u < w 
denotes a prefix of w. w is a proper prefix of w (u -< w), if u ^ w and u ^ w. For any 
p G AP, and a given a G S,if p G (t holds, we also say that "p holds (or, is true) in the 
state cr". If p ^ a, then "p does not hold (or, is not true) in state tr." 

The syntax of LTL formulae, which are given by the set LTL(AP), is defined as 
follows; if ::= p \ -^ip \ ip \/ (p \ Ji.ip \ (pTJcp, with p G AP. If the set of atomic propo- 
sitions is clear from the context, we write LTL instead of LTL{AP). LTL formulae are 
interpreted over elements from Z" as follows. Let i G N, and (fijip & LTL, then 

^ p ^ p G Wi 

[= py ^ w'^ ^ py w'^ ip 

w'- 1= plJip <^3k > i. 1= A Vi < j < k. ip 

Further, we will make use of the usual syntactic sugar such as true = p V ^p, false = 
-itrue, (y9 A "0 = V -iip), Fip = trueXJp, and Gp = -'(F-'p). 

It is well-known that, for any p G LTL, we can construct a nondeterministic Biichi 
automaton (NBA), A^p = (Z, Q, Qo, F), where S is the alphabet, Q the set of states, 
Qvi QQ designated initial states, (5 : Q x Z — s- 2"^ the transition relation, and F C Q a 
set of final states, such that the accepted language of Aip contains exactly all the models 
of p, i.e., C{Aip) = C{p). If some language of infinite words, called an w-language, 
L C Z" is such that there exists an NBA, A, such that C{A) = L, then L is called 
uj-regular. Obviously, the language specified by an LTL formula is always w-regular. 
The size of A^, usually measured wrt. \Q\, is, in the worst-case, exponential wrt. the 
size of p. For details on the construction as well as further properties of A^p, cf. Il22l . 

3 When is an cu-language monitorable? 

Let us fix an L C S'^ for the remainder of this section. In accordance with |[T6l and 
Falcone et al. ||5] formally define the monitorability of an w-language as follows. 

Definition 1. L is called 

- negatively determined by u G S*, ifuS'^ n L = 0; 

- positively determined by u G S*, ifuS'^ C L; 

- M-monitorable/or M G S*, if3v G S*, s.t. L is positively or negatively determined 
by uv; 



- monitorable, if it is u-monitorable for any u € S*. 

This also lends itself to another, sometimes more intuitive way to think about monitora- 
bility of an w-language, namely in terms of good and bad prefixes. 

Definition 2. The set of good and bad prefixes /or L are defined as good{L) {u G 
E* I uS'^ C L} and bad{L) := [u e S* \ uS'^ n L = 0}, respectively. 

For brevity, we also write good{(p) (respectively, bad{ip)) short for good{C{Lp)) (re- 
spectively, had{C{if))), good{A) (respectively, had{A)) short for (/oo(i(£(^)) (re- 
spectively, bad{C{A))). 

Proposition 1. L is monitorable //Vu G S* .3v G S* . uv G good{L) \/ uv £ bad{L). 

In other words, L is not monitorable if there exists a finite word u G S* for which we 
can not find a finite extension v £ S*, such that uv is either a good or a bad prefix 
of L. Naturally, given some L, not every finite word is a good or a bad prefix of L, in 
which case we call such a word undetermined (wrt. L). Let m G Z"* be an undetermined 
prefix, then, depending on L, the following scenarios are possible: we can find a finite 
extension v G S*, such that uv G good{L), we can find a finite extension v, such that 
uv G bad{L), or there does not exist a finite extension v, such that uv G good{L) or 
uv G bad{L) would hold. In 121, the latter were called "ugly" prefixes, and L "non- 
monitorable," if there exists an ugly prefix for it. 

Let us now define the monitorability problem of an w-language as follows. 

Definition 3. The monitorability problem/or some L is the following decision problem: 
Given: A set L C Z"". 

Question: Does \/u G S* . 3v G S* . uv G good{L) W uv G bad{L) hold? 

When L is given in terms of an LTL formula, an NBA, or an w-regular expression 
(which are basically defined like ordinary regular expressions, augmented with an op- 
erator for infinite repetition of a regular set, cf. 122), we call this problem the moni- 
torability problem of u- regular languages, or — more specifically — the monitorability 
problem of LTUBiichi automata/uj-regular expressions, respectively. 

One of the main contributions of |f2l was a procedure that, given a formula Lp G LTL, 
constructs a deterministic finite-state machine (i.e., a monitor for ip) whose input is a 
consecutively growing, finite word u G S*, and whose output is T if it G good{if), _L 
if u G bad{(p), and ? if u is undetermined. Once this monitor is computed, the moni- 
torability of (fi can be determined in polynomial time, simply by checking if there exists 
a state whose output is ? with no path leading to a T- or ±-state. If such a state, called a 
?-trap, exists, then (p is not monitorable. Notice, however, that this monitor construction 
(and this decision procedure) requires 2ExpSpace: as a first step, it creates two NBAs, 
one which accepts all models of Lp and one that accepts all counterexamples of ip (i.e., 
all models of -^ip), and then proceeds by examining and transforming the resulting state 
graphs of these automata. Recall, NBAs accepting the models of an LTL formula are, 
in the worst case, exponentially larger than the corresponding formula. Since at some 
point, the two automata are made deterministic, the double exponential "blow up" fol- 
lows. Moreover, although not explicitly mentioned in 01, by altering the first step of 
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Fig. 1. Some example monitors and corresponding LTL specifications. 

this procedure, it can be used to decide the monitorability of cj-regular languages, in 
general, i.e., whether given as an LTL formula, as NBA, or as an w-regular expression. 
For example, if instead of a formula, an NBA is given, one has to explicitly complement 
this automaton, which also involves a worst-case exponential "blow up" wrt. the num- 
ber of states of the original NBA. However, then the rest of the procedure described in 
111 stays the same. On the other hand, if we are given an w-regular expression instead, 
we first have to build an NBA, which can occur in polynomial time. Then, in order to 
get the complementary language, one also needs to complement this automaton. Hence, 
independent of the concrete representation of an w-regular language, the construction 
and subsequent analysis of the corresponding monitor can decide monitorability in 2Ex- 
pSpace. Therefore, indirectly, |2] shows decidability of the monitorabiliy problem, but 
whether or not this bound is tight was left open in that paper 

Examples. Let us examine some examples to understand how this construction works 
and what its outcome is. Fig. [T] depicts some finite state machines (i.e., the monitors) 
for several LTL formulae, which were automatically generated using the LTLa-toolo, 
which are written by the author of this paper and implement the above construction. 
Each monitor is complete in a sense that for every action from the alphabet, there exists 
a transition. Note that, although not explicitly marked, the initial state is the top-most 
?-state, respectively. Any word u £ S* which has a corresponding path in a monitor to 
a ?-state is undetermined wrt. the w-language being monitored. On the other hand, if u 
leads to a state labelled T (respectively. A.), then li is a good (respectively, bad) prefix 
of the w-language being monitored. It is easy to see, that all the formulae give rise to a 
monitorable language; that is, from any reachable state in the respective monitor, there 
always exists a path to a state labelled either T or _L. Let us, therefore, also present a 
language which is not monitorable and whose (practically not very useful) monitor is 
depicted in Fig.|2] Clearly, the right-most state is a ?-trap; that is, once reached by some 

' Available under an open source license at http://LTL3tOOls.SourceForge.Net/ 



Fig. 2. "Monitor" for a non-monitorable language given by a A X(GF&). 



finite prefix u € E*, there exists no extension v G S* for u, such that a T- or a ±-state 
can be reached. Or, in other words, every word u = uq . . . it„, such that a e uq is an 
ugly prefix of C{a A X(GF6)). 

4 A classification of cj-languages 
4.1 The safety-liveness view 

Alpern and Schneider HI were the first to give a formal characterisation of w-languages 
in terms of safety and liveness properties. This view was subsequently extended to an 
entire hierarchy of w-languages, where languages defining safety properties, or their 
complement are at the bottom (cf. fT3l ). 

Definition 4. L describes a safety language (also called a safety property), if\fw ^ 
L. 3u -< w. uS'^ n L = 0. L describes a co-safety language (also called co-safety 
property), if\fw G L. 3ii -< w. uS'^ C L. 

In other words, if L specifies a safety language, then all infinite words w ^ L, have a 
bad prefix. On the other hand, if L specifies a co-safety language, then all infinite words 
w G L, have a good prefix. This also explains why safety and co-safety properties lend 
themselves so well to runtime verification using monitors: if the specification to be 
monitored gives rise to a safety language, then all violations of the specification are 
detectable by the monitor after only finitely many observations of actions emitted by 
the system under scrutiny. That is, let u G S* he a word, resembling the sequence of 
actions, then either there exists a w G S*, such that uv G bad{L), or u G good{L) 
already holds. On the other hand, if the specification to be monitored gives rise to a 
co-safety language, then all models of the specification are detectable by the monitor 
after only finitely many observation^ That is, let u € S*, then either there exists a 
V G S*, such that uv G good{L), or it G bad{L) already holds. It follows that a 
co-safety language always has the form BE'^, where B C E*. 

Safety and co-safety are dual in a sense that if i is a safety language, then E^\L, 
from this point forward also abbreviated as L, is a co-safety language, and vice versa. 
The following easy to prove proposition makes this duality formal. 

" From this point forward, we will omit the use of precisifications such as "emitted by the system 
under scrutiny", etc. and simply speak of abstract words and actions, when the context is clear 
or simply does not matter 



Proposition 2. had{L) ~ good{L) and bad{L) = good{L). 

Definition 5. L describes a liveness language (also called a liveness property) if^u G 

In other words, if L specifies a liveness language, then bad{L) = — in which case 
L may only be monitorable if good{L) ^ also holds. The definition of Uveness, 
however, does not require good{L) to be empty or non-empty. Hence, from a runtime 
verification point of view, many liveness languages which are commonly used to de- 
scribe system properties in the area of formal verification using, say, temporal logic 
model checking, turn out to be not monitorable. 

Examples. Let us look at some example languages, specified in terms of LTL for- 
mulae. The formula = G^bad_state with bad_state e AP formalises, in an ab- 
stract manner, the requirement from the introduction: the system must never enter a 
bad state. In other words, -ibad_state must always be true. It is a safety property as 
any prefix containing a state in which bad_state is true is a bad prefix of e.g., 
u = 0000 . . . {bad_state} e bad{Lp). Naturally, -.(^ = -.(G-.bad_state) = Fbad_state 
describes a co-safety property. Any finite word containing a state where the proposition 
bad_state is true is a good prefix for -^(p. In practical terms, this means that a monitor, 
checking either language will be able to make a conclusive decision after the first occur- 
rence of bad_state in the observed sequence of system actions. In fact, we can postulate 
the following proposition which, using Proposition |2l is easy to prove formally: 

Proposition 3.1fip specifies a safety or a co-safety language, then ip is monitorable. 

It is also easy to verify that the formula Fbad_state meets the definitions of both co- 
safety and liveness. However, as we will see, not all co-safety languages are also live- 
ness languages, and vice versa. In fact, unlike Fbad_state most liveness languages 
do not lend themselves to runtime verification via monitors, because they may have 
neither bad nor good prefixes that would eventually lead a monitor to a conclusive 
answer. The liveness property given in the introduction, and formalised in LTL as 
G(request Fanswer), is such a case. The following proposition is easy to prove: 

Proposition 4. If specifies a liveness language, such that good(ip) — %, then ip is not 
monitorable. 

It follows that a formula of the form ip = GF{ip) is not monitorable unless ip = true 
OT Ip = false. In the first case we would get C{(p) — Z"", and in the latter C{lp) = 0, 
both of which meet the definition of monitorability. In fact, the languages given by the 
sets and 17" are both safety and co-safety. 

As a final example, let us consider obligation languages. In ifTH , Manna and Pnueli 
define the class of obligation languages as follows. 

Definition 6. L describes an obligation language (also called an obligation property) 
if L either consists of an unrestricted Boolean combination of safety languages, or an 
unrestricted Boolean combination of co-safety languages, or a positive Boolean com- 
bination of safety and co-safety languages. 



Falcone et al. |6 1 have shown that 

Proposition 5. If ip specifies an obligation language, then is monitorable. 

To see that the other direction is not true, consider the counterexample given by the 
formula in Fig. |l(d)[ it does not specify an obligation language, yet it is monitorable. 

4,2 The corresponding topological view 

Alpern and Schneider showed in |[T| that 

Proposition 6. Every language L can be represented as the intersection L = LsHLl^ 
where Ls is a safety language, and Ll is a liveness language. 

Their proof is based on the observation that safety languages (over some alphabet S) 
correspond to closed sets in the Cantor topology over Z"" (cf. lfT3l ). and liveness lan- 
guages to dense sets. It follows that co-safety languages correspond to open sets in that 
topology. Sets which are both closed and open, are referred to as clopen. It is worth 
pointing out, and easy to prove, that both and S'^ are clopen. Given a set L C Z"" 
and element w G S'^, w is a limit point of L, if there exists an infinite sequence of 
words wi, ^2, . . ., all of which are in L, which converges to w. Clearly, any w G L is 
a limit point of L, since w, w, . . . converges to w. The topological closure of L, written 
cl{L), is then defined as the set of all limit points of L. Then, obviously, L C cl{L). 
The following gives a direct definition of cl{L): 

Definition 7. cl{L) := {■!« e i;" | Vu ^ w. 3w' e L.u< w'}. 

From a basic result of topology, a topological closure operator on S'^ defines a topol- 
ogy, where a set i C 17" is closed (i.e., a safety language) if and only if cl{L) C L 
also holds. Moreover, L is dense (i.e., a liveness language), if and only if cl{L) ~ 17". 

This alternative classification of w-languages proved useful as many important re- 
sults from topology transfer to the commonly used classification in terms of safety and 
liveness properties. For example, due to Alpern and Schneider UJ it is well-known that 
the topological closure of a language that is given by an NBA, A, where non-reachable 
and dead-end states have been eliminated, can be determined by an NBA, A', which is 
like A except that all states are made final. Now, C{A) gives rise to a safety language if 
and only if C{A) = ^{A') as C.{A') = cl{C{A)). We will make use of this and similar 
results in the remainder For a comprehensive overview on this topology, cf. II1I13I . 

5 The monitorability problem of LTL 

The results of this section will show that the monitorability problem of LTL is PSpace- 
complete. In order to show this, we will make use of a well-known construction of a 
tableau for an LTL formula, which has been given many times before in the literature 
(cf. 02OII9I ). For reasons of self-containedness, we briefly summarise its most important 
properties for our purposes. 

Let us first fix a formula Lp G LTL over some alphabet S. SF{ip) is the set consist- 
ing of the subformulae of (p or the negations of subformulae of (p. A set c C SF{(p) 



is complete if the following two conditions are met; 1. Boolean consistency of c; 2. for 

i-p' = 11 l\v ^ SF{tp), ip' £ cif and only if ^ e c and v e c. Let tab{(f) = {V, E) 
be a directed graph, where V is the set of all complete subsets of SF{(p), and elements 
(c, d) E E defined as follows; 

- for any Lp' = jiUv e SF{(p): (p' £ cAf and only if e c, or G c and ip' G d; 

- for any p' = XV' G SF{p): ip' E c if and only if G rf- 

Let for any c E V, tt{c) be the state such that for any atomic proposition p G SF{(p), 
7r(c)(p) = true if and only if p G c. An infinite path through tab{ip) is called accepting 
if for every node c on that path with (p' ~ fiXJiy G c, either G c, or there exists 
a (not necessarily immediate) successor node d, such that v E d. For any c G 
we say that c is a good node, if the conjunction of all subformulae in c is satisfiable; 
otherwise c is called a feaii no^fe. Notably, it holds that for any w G with the property 
Vz > 0. 3w' G such that wq . . . Wiw' ^ there exists an infinite path p of good 
nodes in tab{ip) starting from a node that contains tp, such that 7r(p) = w. Moreover 
for (p,ip € LTL, we denote by tab{(p) x tab{ip) the cross-product of the tableaux for ip 
and Ip, respectively. 

Lemma 1. Let ip not be monitorable. Then there exists a pair of nodes, (q, q') G 
tab{ip) X tab{-iip), reachable on some u G S* and where q, q' are conjunctions of 
subformulae of ip, respectively, such that C{q) and C{q') are dense. 

Proof. Following Proposition [T] the non-monitorability of </? is defined as follows 

3u G S*. yv G S*. uvS"^ n C{(p) ^ A uvS'^ ^ C{ip). 

In other words, there exists au E S*, such that none of the finite continuations w of u is 
(z) a bad or (m) a good prefix of (p. Let us fix such a particular u. From the construction 
of tab{ip) it follows that in order for (i) to be true, there must exist a node q G V^, 
reachable on u (i.e., tab{(p) has a path on u), such that Vw G S* . vS'^ n C{q) ^ 0. It 
is easy to see that L{q) is dense. Requirement (m), i.e., Vw G S* . uvS'^ % ^{v)^ is 
equivalent to \/v € S* . uv ^ good{p), which by Proposition|2]is equivalent to 

"iv eS*.uv (^badi^ip). (1) 

Lett?' G F-,,^ be a node in fa5(-i<^), reached on u. Now, for (1) tobe true, Vw G S*.v ^ 
bad{q') must be true, which is equivalent to \/v G S*. vS'^ n C{q') ^ 0. It is easy to 
see that >C(g') is dense. □ 

Lemma 2. If there exists a pair {q,q') G tab(ip) x tab{-"p), reachable on some u G 
E*, such that C{q) and C{q') are dense, then (p is not monitorable. 

Proof. Let {q, q') G tab{p) x tab{^(p) be reached via some u G S*, such that 

Vw eS*.v^ bad{C{q)) Av<^ bad{C{q')). 

Since q is reached on u, and by the construction of tab((p) it follows that Vw G w ^ 
bad{C{q)) is equivalent to Vw G . uv ^ bad{p) (and, accordingly, for q' and 
Thus, together with Proposition [2] we get 3u G S* .Vv G 17*. uv ^ bad{(p) A uv ^ 
good{(p), which corresponds to the definition of non-monitorability of (p, used in the 
previous lemma. □ 



Theorem 1. The monitorability problem ofLTL is decidable in PSpace. 



Proof. By Lemma [T] and |2] is not monitorable if and only if there exists a word, 
corresponding to a path through tab{(p) x tab{^ip) that contains a pair {q, q'), such that 
£{q) and C{q') are dense. As tab{(p) and tab{^(p) are of exponential size wrt. \(p\, we 
cannot construct either explicitly. Instead, we will guess, in a step-wise manner, a path 
through tab{(p) x tab{^Lp) to some pair {q,q'), and check if both C{q) and C{q') are 
dense. To check whether or not an LTL formula specifies a dense set is equivalent to 
checking whether or not it specifies a liveness language (cf. Sec. I4.2l i. It follows from 
Ultes-Nitsche and Wolper's work 1231 (Remark 4.3 and Theorem 4.6, if we replace L^^ 
to correspond to S'^) that this problem can be decided in PSpace. So, if the answer to 
this check is "yes", then ip is not monitorable. 

Since due to Savitch's theorem we know that NPSpace is equal to PSpace (cf. lfT4l ). 
we have thus shown that the "non-monitorability problem of LTL" is in PSpace. How- 
ever, as PSpace is equal to co-PSpace [|T4|, it follows that the complementary problem 
of that, i.e., the monitorability problem of LTL, is, in fact, decidable in PSpace. □ 

Theorem 2. The monitorability problem of LTL is P Space-complete. 

Proof. It is sufficient to show PSpace-hardness. We will reduce the PSpace-complete 
problem of determining whether or not a formula ip G LTL is satisfiable 1201 to the 
monitorability problem of LTL. Let us construct, in constant time, a formula ^ G 
LTL{AP') := Ga V GF(a' A ip), where a G AP, AP' := AP U {a'} and a' AP. 
We now claim that ip is monitorable if and only if C{(p) — 0. 

If C{(p) = 0, then ip = Ga, which can easily be seen monitorable. 

For the other direction, assume that ijj is monitorable, but that C{(p) ^ 0. Let Z" := 
andw G (2'^'f'\^''>)*. It is easy to see that itZ"'^n£(Ga) = 0, but ur"^n/:(^/') ^ 
0. Hence, for -0 to be monitorable, u has to be extensible with some v G such that 
either uvJ:"^ n L{G'¥{a' A y;)) = 0, or such that itwZ"" C £(GF(a' A cp)). Now, 
observe that irrespective of our choice of Lp (including the case p> = true), so long as 
£.{(p) 7^ 0, the set £(GF(a' A f)) neither has a bad nor a good prefix. This means 
that 3u G S'*. yv G S'*. uvS"^ H £(-0) ^ A uvS"^ % £(-0); that is, i]) is not 
monitorable. Contradiction. □ 

6 The monitorability problem of Btichi automata 

Let for the rest of this section A = (Z", Q, Qo, S, F) be a fixed NBA with C{A) C E'^. 
As pointed out in Sec. 14.21 a topologically closed set can be obtained from C{A) via an 
automaton, referred to as safe{A), whose accepted w-language will always be closed, 
irrespective of C{A). What is more, safe{A) can be constructed in polynomial time 
wrt. the size of A. Moreover for the next results, we also need an explicit representa- 
tion of live{A), whose accepted aj-language will always be dense. Like its counterpart 
safe{A), it can be constructed in polynomial time wrt. the size of A. For details on 
these constructions, see jl] Sec. 4]. Finally, we need to introduce the notion of a tight 
automaton, as a finite-state acceptor for good prefixes, as follows. 



6.1 Tight automata 



In preparation for the main results of this section, let us discuss how to obtain a tight 
automaton over S* that, given some NBA A, accepts good{A). The construction can 
be described by a two-stage process. 

First, we construct a nondeterministic finite automaton (NFA) that accepts the po- 
tentially good prefixes of A, where, without loss of generality, all unreachable and 
dead-end states have been eliminated. From A, we can easily derive the NFA Qj^ = 
{S, Q, Qo, 5, F), where F := Q is the set of accepting states, and the rest defined as 
for A. For this NFA it holds that 

Proposition 7. CiG'X) ^{ue S* \3w e S*. uw e C{A)}. 

From this point forward, let as a notational convention, A{q) be like A, except that 
Qo = {q}. 

Proof. (C): Take any u G C{Q'^). Obviously, there exists an accepting run on u in G^ 
to some state q & Q and by construction also a (finite) run in A reaching the same q as 
both automata share the same 6. As by assumption A is non-empty, and all unreachable 
and dead-end states have been eliminated, it then follows that C{A{q)) ^ 0, i.e., G 
17". w £ L{A(iq)). Moreover, as q was reached on u, it then follows that uw G £(-4). 

(3): Let w G T,'^ be such that there exists an accepting run in A, i.e., w G L{A). 
As 8 is the same for both automata, it follows that there also exists a run on the state 
space of CJ^, in a sense that for each symbol in w there always exists a successor state 
in Q\. Now, pick any u ^ w, then u G C{Q^) as all states in are accepting. □ 

Second, to obtain an NFA that contains only the good prefixes, but no other words, 
we proceed as follows. As (J^ is but an ordinary NFA, we can apply the standard sub- 
set construction to obtain a deterministic finite automaton (DFA) accepting the same 
language, and whose states consist of a subset of states of Qj^, respectively. Let Q_a = 
{S, Q', {Qo),5', F') be this DFA, defined as expected, except that we set the accepting 
states to be 

F' {(go, . . . ,<7„) G Q' \ C{A{qo)) U . . . U £(^(<Z„)) = S^]. 

Note that as a notational convention we let {qo, . . . ,qn) be the single DFA-state whose 
label is made up of the individual state labels go, • ■ • ; of Q^^. 

Proposition 8. C{Qa) = good{A). 

Proof. (C): Take any u G C{Qa)- By the subset construction and the fact that all states 
in C{Gj[) are accepting, it follows that u G C{Q^) must hold. Hence, u is a potentially 
good prefix of C{A). Now, recall that for u G C{Ga) to hold, Qa must be in some 
state (go, ■ ■ ■,qn) such that C{A{qo)) U . . . U C{A{qn)) = holds. Moreover, by the 
construction of C{Q^), we know that there exist n + 1 runs in ^ on li to the individual 
states qo, ■ . ■ ,qn, i.e., each of these state can be reached on u. Now, if the union of these 
states' individual languages corresponds to the universal language, then clearly 
u G good{A). 



(3): Take any u G good{A). By the previous proposition and the construction of 
Gj^, there exist runs on u in t/^ to states qq, . . . , qn, each of which is accepting, i.e., 
there is at least one such run. Moreover from the construction of Qj,, whose state graph 
corresponds to the deterministic variant of t/^, it follows that there has to be a state 
{qo, . . . ,qn) G Q' which can be reached on u. We now have to show that (go, • ■ • , 
is an accepting state of Qj[. For assume not, i.e., C{A{qo)) U . . . U C{A{qn)) 7^ 
holds, then there exists a word w £ S'^, such that w ^ C{A{qo)) U . . . U C{A{qn)), 
and consequently uw ^ C{A). Clearly, then u ^ good{C{A)) . Contradiction. □ 

Remark 1. In ITTI . Kupferman and Lampert discuss properties of an NFA, referred to 
as a "tight automaton," that accepts all the good prefixes of some NBA, A. The name 
stems from the fact that their paper is more concerned with the construction of so called 
"fine automata," which accept only some good prefixes, but not all. Although they do 
not explicitly give details on how to obtain a tight automaton, and only consider the 
special case where the NBA describes a co-safety language, they conclude, using a 
language-theoretic argument, that such an automaton must, in the worst-case, be of 
exponential size wrt. A — which agrees with our procedure above. Their restriction to 
only examine NBAs which describe co-safety languages seems motivated solely by 
their application of model checking (co-) safety languages. Consequently, they discuss 
how to obtain tight automata for NBAs describing safety languages, then accepting all 
the bad prefixes, and tight automata for for NBAs describing co-safety languages, then 
accepting all the good prefixes. However, it is easy to see that the constructions outlined 
on an abstract level by Kupferman and Lampert easily transfer to general NBAs, and 
result in the above described procedure when an acceptor for good prefixes is needed. 
Hence, Qj( can be considered as a general form of a tight automaton capturing good 
prefixes, regardless as to whether A describes a co-safety language, or not. 

6.2 Deciding monitorability — Tlie general case 

Now that we have all the required tools at hand, let us continue to prove this section's 
main result, namely the complexity of the monitorability problem of Biichi automata. 
We will do this by way of the following lemmas, which provide sufficient and necessary 
conditions for deciding the monitorability of a language defined by some NBA. 

Lemma 3. Ifiu G good{safe{A)). 3v G S* . uvE^ C C{live{A)), then A is moni- 
torable. 

Proof. For any u G good{safe{A)) there does not exist a d G S*, such that uvS'^ fl 
C{A) = as u is a good prefix of C{safe{A)), and C{live{A)) does not, by definition 
of live{A), have any bad prefixes. Now, if the assumption Vw G good{safe{A)). 3v G 
E*. uvE'^ C C{live{A)) holds, then any such u is extensible to to be a good prefix of 
C{live{A)) and thus C{A). 

On the other hand, if u ^ good{safe{A)), then by the definition of a closed set, 
this u is extensible to be a bad prefix of C{safe{A)) and thus C{A). 

As for any u ^ S*, either u G good{safe{A)), or not, any u can be extended to be 
either a good or a bad prefix of C{A) under the lemma's assumption. □ 



Corollary 1. If there exists no good prefix of C{safe{A)), then A is monitorable. 



Lemma 4. Let A be monitorable, then Vu G good{safe{A)). 3v G S*. uvS'^ C 
£{live{A)). 

Proof. We are going to show the contrapositive of the lemma's statement; that is, 3u G 
good{safe{A)). Vu G S*. uv ^ good{live{A)) implies that A is not monitorable. 
Let us now fix such a prefix u. Since u G good{safe{A)), for A to be monitorable 
after u, there would have to exist some v G S*, such that uv G good{live{A)), thus 
uv G good(sa/e(yl)nZii;e(^)), and therefore G .goo(i(yl). However, by assumption 
this is not possible. Hence, u is an "ugly prefix" of C{A) and, consequently, A not 
monitorable. □ 

Theorem 3. The monitorability problem ofBiichi automata is decidable in PSpace. 

Proof. Observe that due to Lemma [3] and H] the monitorability of A is decidable in 
PSpace if and only if it can be checked in PSpace, whether the following is true: 

Vu G good{3afe{A)). 3v G S* . uvS'^ C C{live{A}). (2) 

However, instead of giving an algorithm for checking if, for some A, this property 
holds, we devise an algorithm that returns tTue if the complementary statement holds, 
i.e., if 

3u G good{safe{A)). ^v G S* . uvS'^ % C{liveiA)) 

is true. For some A this is the case if there exists some finite word u G good{safe{A)), 
such that u cannot be extended to be a good prefix of £{live{A)). Let, therefore, Q 
be the tight automaton over S, such that C{G) = good{safe{A}). As pointed out 
in Remark [T] Q may, in the worst-case be of exponential size wrt. safe{A), which 
stems from the fact that a standard subset construction needs to be applied. In our case 
this means that the states of Q are the exponentially many sets of states of safe{A). 
Therefore, we can only guess, in a step-wise manner, a path through Q x live{A), 
corresponding to a word u G S*, to a pair of states {q, q'), where q is now a set of 
states of safe{A). Note that using S of A, we can easily check the connectedness of 
two states in Q x live{A) in PSpace. Next, we check if q is an accepting state in Q, 
which, by Proposition [8] is the case if and only if the states qo, . . . ,qn G g are such 
that C{safe{A){qo)) U . . . U C{safe{A){qn)) = ■ This property can be checked in 
PSpace in the size of safe{A), because the union of two NBAs is of polynomial size 
and determining language equivalence of two NBAs is a PSpace-complete problem 
II2TI . Moreover, as q' was reached on u, we have uvS'^ % Lilivei^A)) for all possible 
extensions u G Z"* if and only if live^A^) does not contain a state p that is reachable 
from g', such that L(live{A){j>)) is open. Using the algorithm presented in 13], which 
we have employed before, this can be checked in PSpace as well. So, if no such p exists 
and q is an accepting state in Q, then obviously uvS"^ % C{live{A)) for some u and 
all its possible extensions v G S* and, consequently, our algorithm returns true. 

This procedure for checking if the complement of (2) holds is nondeterministic and 
does not use more than polynomial space wrt. the size of A, and hence is in NPSpace. 
Again, as NPSpace = PSpace = co-PSpace, the statement follows. □ 



Theorem 4. The monitorability problem ofBuchi automata is PSpace-complete. 

Proof. It is sufficient to show PSpace-iiardness. We proceed by reducing the PSpace- 
complete problem of checking if some NFA B over some alphabet = {ai, . . . , a„}, 
is such that C{B) = S* Q- In other words, we construct for B in at most polynomial 
time an NBA, A, such that A is monitorable if and only if L{B) = S* . 

Let us first check if C{B) = is true. It is well known that this can be done in 
polynomial time (cf. Q)- If the answer is "yes", we return the NBA, A, which corre- 
sponds to the models of the LTL formula GFa over the alphabet S' := {a, h}, which 
by Proposition|4]is non-monitorable. 

If C{B) ^ 0, we proceed as follows. Let Si := {aj, . . . , a^}, S2 ■= ■ ■ ■ , a^} 
be alphabets. Let us construct, in linear time, an NFA, Bi, respectively B2, which is 
like B, except that it accepts C{B) projected onto Si, respectively onto IJ2- Let Bi, 
respectively B2, be the language accepted by Bi, respectively 62. We now construct an 
NBA A, such that it accepts the following language, split into three parts for readability: 

ii) {{Si\J S2T{BiB2\J B2Bi)Y 
{n) \J{{Si[JE2YBiY 
{Hi) U{{SiUE2)*B2)'^. 

It is easy to see that A can be constructed in time no more than polynomial wrt. the size 
of B. We now prove the following two claims. 

Let C{B) = S*, then A is monitorable: Notice first that a word w e {Si U 
either is 

- an alternation of finite words over Si and S2, 

- entirely over Si (respectively, S2), 

- an alternation of finite words over Si and S2, followed by an infinite word over 
Si or S2. 

One can easily verify that all these cases are covered by the language accepted by A. 
Hence, if £{B) — S*, then C{A) = S'^, and therefore A is monitorable. 

Let A be monitorable, then C{B) ~ S*: For assume not, that is, we assume A is 
monitorable, but that C{B) ^ S* holds. From the latter it follows that there must exist 
a finite word u G S*, corresponding to some word u' E S^, such that u ^ £{B), and 
consequently u' ^ Bi (respectively, for i?2)- Due to way we have chosen the w-regular 
expression above, this u' implies the existence of a language L C {Si U 172)", such that 
L 2 C{A); for example, we can easily prove that L {u'{Si U ^2))" is not a subset 
of any of the three sets given by (i) — {Hi) above, and hence L ^ C{A). Therefore, 
A is not universal over {Si U ^^2)". Notice further that all words w e C{A) are such 
that they require infinitely often the occurrence of a finite word u either in {i) B1B2 
and interchangeably with B2B1, {ii) Bi, or {Hi) B2. More concretely, all infinite w are 
such that finite words of the form 

(i) a\ . . . a^af. ■ ■ .af and optionally the mirrored version occur infinitely often, or 
{ii) a\ . . .a}j occurs infinitely often, or 
{Hi) af . . .a'j occurs infinitely often. 



where, for all indices g, we have e Si and £ 172. In what follows, let Li, La, and 
Liii be the languages corresponding to the sets given by (i), {ii), and (iw), respectively. 
It is obvious that Li, La and Lm each define a dense but not open set over the words in 
(I7i U 172)" as the infinite repetition of a finite word is required in each case. Moreover, 
as dense sets are closed under union lfT3l . and i,; U La U Lm = C{A), it follows that A 
defines a dense but not open set. Together with the fact that A is not universal, it follows 
that A defines a classical liveness property, i.e., is not monitorable. Contradiction. □ 

6.3 Deciding monitorability — The deterministic case 

It is weU-known that languages expressible by deterministic Biichi automata (DBAs) 
are strictly less expressive than the ones accepted by general (or, nondeterministic) 
NBAs: For example, one cannot express the language given by the w-regular expres- 
sion (a + h)*a'^ over S = {a, h} as can be easily proven. On the other hand, it is 
possible to represent all safety and co-safety languages using DBAs (cf. fTO'l), although 
not every DBA-representable language is necessarily monitorable as the example over 
S — {a, V\, depicted in Fig. [3] illustrates; obviously, the language has neither good nor 
bad prefix. Hence, it is reasonable wanting to be able to examine DBAs for their mon- 
itorability as well. Not surprisingly though, if we know that the automaton in question 
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Fig. 3. Deterministic Biichi automaton over S ~ {a, b} describing a non-monitorable 
language. 

is deterministic, we can check its monitorability more efficiently than before, using the 
criterion defind in Lemma|5] 

However, before examining this condition, let us first make the following assump- 
tion without loss of generality: let ^ be a complete automaton; that is, for each symbol 
a e and each state q G Q, there exists a state q' G Q, such that S{q, a) — q' . It is 
easy to see that completing a deterministic automaton takes time linear in the size of 
the automaton: one merely has to add a "trap"-state, the corresponding transitions, and 
self-loops to it as necessary. Let us use the symbol f to denote this special state. More- 
over as a further notational convention, if there exists a path in A, i.e., a state-action 
sequence, from state q to q', we also write q q' , or q ~~^„ q' to denote the fact that 
the sequence of actions in this path corresponds to the finite word u. 

Lemma 5. A deterministic Biichi automaton A, defined as expected, is monitorable if 
and only if for every state q E Q, it holds that 



- a path exists such that g f, or 



- a path exists, q g', with C{A{q')) = S^. 

Proof. As A is deterministic, let, in what follows, Qo = {^o}- 

If q ] holds then there exists a prefix uv G S*, such that uv G had{A) with 
9o q and 5 -^t, f. On the other hand, if a path exists, q ^ q' , such that C{A{q')) = 
17", then there exists a prefix G 17*, such that uv G goo(i(^) with go 9 ™d 
q q' ■ Obviously, if every state implies the existence of either a bad or a good prefix, 
then A is monitorable. 

For the other direction, assume the opposite, i.e., that A is monitorable and that 
there exists a state q, such that there do not exist paths [i) q ~^ ] and [ii] q q' , where 
C(A{q')) = Z"^. Let u G S* be the word defined by go q- From [i) it follows 
that u cannot be extended to be a bad prefix for A. From (ii) it follows that u cannot be 
extended to be a good prefix for A. Hence, u is an "ugly prefix", and A not monitorable. 
Contradiction. □ 

Theorem 5. The monitorability problem of Bilchi automata, when the automata are 
deterministic, can be solved in polynomial time. 

Proof. Recall, completion of A takes linear time wrt. the size of A. So, without loss of 
generality, we assume the input automaton A complete already. Checking the condition 
of Lemma |5] for A means iterating through the \Q\ states of A and checking for each 
q E Q whether any of the two sub-conditions holds. 

Using depth-first search, it is easy to see that the first condition can be checked in 
polynomial time (in fact, in time 0{\Q\ + \Q\ ■ \S\) = 0{\Q\ ■ as there are \Q\ ■ \E\ 
transitions in a complete automaton). 

The second condition involves checking for each reachable state, q', from state q, 
whether or not C{A{q')) = . In the general case, i.e., when A is nondeterministic, 
the latter problem is known to be PSpace-complete in the size of A. However, as A is 
deterministic, this condition can, in fact, be checked in time linear wrt. the size of A: In 
IfTSl . Kurshan outlines a construction for a DBA A' , such that C{A!) = C{A), where 
A' has only 2|Q| states. Now, checking if C{A') = holds is known to be LogSpace- 
complete for NLogSpace ll24l and clearly the case if and only if C{A) = holds. 

From these two observations it now easily follows that checking both conditions of 
Lemma[5]can be done in no more than polynomial time wrt. the size of A. □ 

Finally, observe that the non-monitorable DBA depicted in Fig. [3] is complete for 
E = {a, h}, but incomplete and monitorable for E ~ {a, b, c}. 

7 Closure of the monitorable -languages 

We now examine closure properties of monitorable w-languages. Let us fix two lan- 
guages L,M C 17" for the remainder of this section. 



Proposition 9. Let L and M be monitorable, then L H M is monitorable. 



Proof. Since L is monitorable two cases arise: every m e 17* is extensible to be a good 
prefix of L or to a bad prefix of L (or both, but this case is covered in the following): 

{i) Let us fix some u £ S*, such that uE'^ CiL = ^ holds. Then, irrespective of M, 
uS'^ n L n i\/ = 0, and hence u e bad{L n M). (ii) Let us fix some u G U*, such that 
uZ"" C L holds. Then, by the monitorability of M, 

3v e S*. uvS'^ n A/ = V uvS'^ C M. 

As before, if uvS'^ n M = 0, then uvS"^ n Af n i = and hence uv £ bad{L n M). 
On the other hand, if uvS'^ C A/, then uvS'^ C L D M and, consequently, uv G 
good{L n M). 

As all finite words are extensible to be either good or bad prefixes of L, and in either 
case it is possible to find a good or a bad prefix of L n M, we conclude that L D M is 
monitorable as well □ 

Proposition 10. Let L be monitorable, then L is monitorable. 

Proof. Follows directly from applying Proposition |2] to Proposition[T] □ 

Tlieorem 6. The monitorable ui-languages are closed under (finitary) application of 
intersection, complement, and union. 

Proof. Follows now easily from the fact that L U A/ = L n A/. □ 



8 Conclusions 

The formal concept of monitorability of an cj-regular language was first introduced by 
Pnueli and Zaks ifTSl . A subsequent result of |2| implies that the monitorability problem 
of LTL and NBAs as laid out in Sec. [3] is, in fact, decidable using a 2ExpSpace algo- 
rithm, whereas ||6l recently could show that the monitorable w-languages are strictly 
more expressive than the commonly used set of safety properties (and, in fact, an un- 
restricted Boolean combination thereof), known to be PSpace-complete when the lan- 
guage is given by an LTL formula or an NBA. The present paper closes the exponential 
"gap" that lies between these observations, in that it shows that the monitorability prob- 
lem of LTL and NBAs are both, in fact, PSpace-complete (unless, of course, the NBAs 
are, in fact, deterministic). 

Besides being of theoretical merit in order to being able to classify the monitorable 
w-regular languages wrt. existing classifications such as the safety-progress hierarchy, 
a practical interpretation of this result is that checking the monitorability of a formal 
specification, given as LTL formula or by an NBA, is computationally as involved as 
checking, say, if the specification defines a safety language. Moreover, knowing the 
upper bound of the problem, we can devise new and probably faster algorithms than Q 
for checking the monitorability of specifications, such that users can determine — prior 
to the actual runtime verification process, or any attempts to build a monitor — whether 
or not their specifications are monitorable at all. 

As a final theoretical contribution, it is worth pointing out that, using the results of 
this paper, one can easily show that the monitorability problem of w-regular expressions 



is also PSpace-complete, since there exists a polynomial time transformation from oj- 
regular expressions to NBAs, which yields membership in PSpace. Together with the 
proof of TheoremH] where we used w-regular expressions, we then obtain completeness 
for this problem. 
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